path: root/mm/shmem.c
diff options
authorGreg Thelen <gthelen@google.com>2013-02-22 16:36:02 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2013-02-23 17:50:23 -0800
commit49cd0a5c290f99deca3463d16c3c1c7240107889 (patch)
tree90a7f92f4b48463483644270355006419bd0f9af /mm/shmem.c
parenttmpfs: fix use-after-free of mempolicy object (diff)
tmpfs: fix mempolicy object leaks
Fix several mempolicy leaks in the tmpfs mount logic. These leaks are slow - on the order of one object leaked per mount attempt. Leak 1 (umount doesn't free mpol allocated in mount): while true; do mount -t tmpfs -o mpol=interleave,size=100M nodev /mnt umount /mnt done Leak 2 (errors parsing remount options will leak mpol): mount -t tmpfs -o size=100M nodev /mnt while true; do mount -o remount,mpol=interleave,size=x /mnt 2> /dev/null done umount /mnt Leak 3 (multiple mpol per mount leak mpol): while true; do mount -t tmpfs -o mpol=interleave,mpol=interleave,size=100M nodev /mnt umount /mnt done This patch fixes all of the above. I could have broken the patch into three pieces but is seemed easier to review as one. [akpm@linux-foundation.org: fix handling of mpol_parse_str() errors, per Hugh] Signed-off-by: Greg Thelen <gthelen@google.com> Acked-by: Hugh Dickins <hughd@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to '')
1 files changed, 10 insertions, 3 deletions
diff --git a/mm/shmem.c b/mm/shmem.c
index 5e2ff592e3b8..1ad79243cb7b 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2385,6 +2385,7 @@ static int shmem_parse_options(char *options, struct shmem_sb_info *sbinfo,
bool remount)
char *this_char, *value, *rest;
+ struct mempolicy *mpol = NULL;
uid_t uid;
gid_t gid;
@@ -2413,7 +2414,7 @@ static int shmem_parse_options(char *options, struct shmem_sb_info *sbinfo,
"tmpfs: No value for mount option '%s'\n",
- return 1;
+ goto error;
if (!strcmp(this_char,"size")) {
@@ -2462,19 +2463,24 @@ static int shmem_parse_options(char *options, struct shmem_sb_info *sbinfo,
if (!gid_valid(sbinfo->gid))
goto bad_val;
} else if (!strcmp(this_char,"mpol")) {
- if (mpol_parse_str(value, &sbinfo->mpol))
+ mpol_put(mpol);
+ mpol = NULL;
+ if (mpol_parse_str(value, &mpol))
goto bad_val;
} else {
printk(KERN_ERR "tmpfs: Bad mount option %s\n",
- return 1;
+ goto error;
+ sbinfo->mpol = mpol;
return 0;
printk(KERN_ERR "tmpfs: Bad value '%s' for mount option '%s'\n",
value, this_char);
+ mpol_put(mpol);
return 1;
@@ -2550,6 +2556,7 @@ static void shmem_put_super(struct super_block *sb)
struct shmem_sb_info *sbinfo = SHMEM_SB(sb);
+ mpol_put(sbinfo->mpol);
sb->s_fs_info = NULL;